I read the Schnorr and MuSig papers and stumbled over the problem that the use of deterministic nonces in multisignatures is not safe. The adversary would be able to extract the private key from the victim, if he initiates a second signing session with the victim on the same message, but changes his own public nonce.
This happens, because this changes also the partial signature of the victim. (s = r + c*x)
The challenge is constructed in this way : c=H(R||m) (not key-prefixed version).
I’m wondering, would the exclusion of the public nonce from the H-sig challenge not result in a constant signature of all signers and therefore allow the use of deterministic nonces? The challenge could be c=H(m) or c=H(P||m).
Why is R (public nonce) in the first place included inside the hash function? I’m sure there is a good reason that I could not find.
ECDSA doesn’t have that.